I've been battling this out with my co-workers for a while myself. I don't see the point in using OpenSSH. It's not like they are going to support me when something goes wrong and yes.. the PAM and Kerberos support in OpenSSH is pretty broken! I'd rather use something that's been integrated and tested with the OS I'm using. I've found that even if my co-workers compile OpenSSH, they have to go down the lane of compiling MIT Kerberos and dealing with OpenSSH's bad PAM support. You can definitely make it work, from a basic functionality standpoint. But beyond that, it's pretty broken if you are using Kerberos. Definitely not something I would recommend for a production environment:)
My only grip would be the disconnect in features between the different implementations. I recently ran into an issue where some programmers were depending on an OpenSSH feature that controls the connection timeout. No such feature exist in the SunSSH, and so the battle started at work. So parity with features is important. Personally, I don't think it's good for users to use odd ball features in any software, but it's difficult to break bad habbits. So there's my two cents.. -Octave --- "Bruno S. Delbono" <[EMAIL PROTECTED]> wrote: > * on the Sun, Jan 08, 2006 at 01:13:15AM -0800, Mike Bo was > tippering: > > Darren wrote: > > > Why not ? Why can't OpenSolaris just be as quick as OpenBSD ? > > > > When there is a problem with OpenSSH, does the Sun team investigate > whether > > it affects their forked code base? If so, don't they have to port > the fix > > and then do regression testing? Doesn't this take time? > > > > > It is also worth noting that some of the security bugs that have > impacted > > > the OpenSSH code in recent years have NOT impacted the SSH > > > in Solaris. > > > > That's cool... congrats. > > So, erm..what does that mean? Are you ^trying^ to be snotty or is > that a > point. > > > > > So why is it okay to advertise that it is OpenSSH but not okay to > > > advertise the OS ? > > > > I believe that knowing a machine's OS could possibly help an > attacker > > exploit version-specific security vulnerabilities. > > It's pretty darn easy these days to guess the OS. There are one too > many tools > that can help you do this... and truly, "security through obscurity" > has never > really helped secure anything. > > > > Have you actually read the SSH protocol specification ? > > > > No, I'm not an SSH developer. But UNIX admins are often in a > position to > > decide which SSH implementation to use. It might be interesting to > read a > > "how to" document that illustrates the SunSSH enhanced > functionality with > > practical examples. But until the real benefits outweigh a > perceived risk, I > > will continue to replace SunSSH with OpenSSH. > > You are welcome to do what you want...(and frankly no one cares), but > Darren > has provided some very valid points. Sun's SSH does come with > additional > functionality out of the box and is supported. No one is holding your > hands or > preventing you to run one version over the other. > > -- > Bruno Delbono > Open-Systems Group Inc. > http://www.open-systems.org/users/bruno/ > > _______________________________________________ > opensolaris-discuss mailing list > [email protected] *********************************** * Octave J. Orgeron * * Solaris Infrastructure Architect* * http://unixconsole.blogspot.com * * [EMAIL PROTECTED] * *********************************** __________________________________________ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com _______________________________________________ opensolaris-discuss mailing list [email protected]
